Security https://bryanruby.com/tags/security en A final goodbye to CMS Report https://bryanruby.com/final-goodbye-cms-report-2006 <span property="schema:name">A final goodbye to CMS Report</span> <div class="field field--name-field-image field--type-image field--label-above"> <div class="field--label">Image</div> <div class="field--items"> <div class="field--item"> <img property="schema:image" src="/sites/default/files/field/image/CMSReportLite_1.PNG" width="955" height="759" alt="CMS Report Lite" typeof="foaf:Image" class="img-responsive" /> </div> </div> </div> <span rel="schema:author"><span lang="" about="/users/bryan-ruby" typeof="schema:Person" property="schema:name" datatype="">Bryan Ruby</span></span> <span property="schema:dateCreated" content="2017-12-01T01:23:23+00:00">Thu, 11/30/2017 - 19:23</span> <div property="schema:text" class="field field--name-body field--type-text-with-summary field--label-hidden field--item"><p><em>Effective immediately, CMS Report has been shutdown with socPub designated as the website's full replacement.</em></p> <p>Two months ago, I introduced <a href="/introducing-cms-report-lite-2002">CMS Report "Lite"</a> as a slimmed-down version of the original website. Since our rebranding from <a href="https://www.socpub.com/articles/cms-report-now-socpub-15375"><em>CMS Report</em> to <em>socPub</em></a> earlier this year, a number of content management professionals expressed the need to cite reputable CMSReport.com for their information and were uncomfortable with referencing an "unknown" website like socPub. With limited success since bringing this nostalgic website back online, I decided this it was time to: let the past go; redirect all remaining traffic from CMSReport.com to SocPub.com; and to shutdown the website for good.</p> <p>While I had hopes that mirroring the content would be a win-win for both website...the analytics showed otherwise. I was prepared to see a decrease of visitors at one website in favor of another but in reality most of my intended audience targeting North America, Europe, and Australia continued to view content their content at socPub. CMS Report on the other hand attracted less than 12% of my targeted audience with instead 85% of the audience coming from India in the form of bots trying to look for weaknesses in my content management system. </p> <img alt="Google Analytics Showing Location of CMS Report Site Visitors" data-entity-type="file" data-entity-uuid="da013d8d-553f-4e17-bdcb-50d0aef6c8e3" src="/sites/default/files/inline-images/CMSReportVisitors17.PNG" class="align-center" /><p>I want to be clear, India's citizens are always welcomed at my websites. I have a deep respect for content management and information technology professionals from India and some of our best article contributors have come from India. Unfortunately, it was not IT professionals from India that CMS Report was attracting but hackers and bots. Over 98% of the "users" that accessed CMS Report's login screen originated from India. While none of the login attempts breached the website's security...it's a little unsettling that CMSReport.com was being accessed not for it's content but as a target for hackers.</p> <p>With most of our previous CMS Report legitimate audience now visiting socPub, I see no reason to continue to support two websites with similar content. Once again, goodbye CMS Report and hello socPub.</p></div> <div class="sharethis-wrapper"><span st_url="https://bryanruby.com/final-goodbye-cms-report-2006" st_title="A final goodbye to CMS Report" class="st_facebook_large" displayText="facebook"></span> <span st_url="https://bryanruby.com/final-goodbye-cms-report-2006" st_title="A final goodbye to CMS Report" class="st_twitter_large" st_via="MrBryanRuby" st_username="" displayText="twitter"></span> <span st_url="https://bryanruby.com/final-goodbye-cms-report-2006" st_title="A final goodbye to CMS Report" class="st_googleplus_large" displayText="googleplus"></span> <span st_url="https://bryanruby.com/final-goodbye-cms-report-2006" st_title="A final goodbye to CMS Report" class="st_linkedin_large" displayText="linkedin"></span> <span st_url="https://bryanruby.com/final-goodbye-cms-report-2006" st_title="A final goodbye to CMS Report" class="st_email_large" displayText="email"></span> </div><section rel="schema:comment"> <h2>Add new comment</h2> <drupal-render-placeholder callback="comment.lazy_builders:renderForm" arguments="0=node&amp;1=2006&amp;2=comment&amp;3=comment" token="X_GdBJQt1bKTDKsC6amj-3Rjms6bQoeK0jZ4KnWUn6w"></drupal-render-placeholder> </section> <div class="field field--name-field-tags field--type-entity-reference field--label-above"> <div class="field--label">Tags</div> <div class="field--items"> <div class="field--item"><a href="/tags/deeds" property="schema:about" hreflang="en">Deeds</a></div> <div class="field--item"><a href="/tags/content-management" property="schema:about" hreflang="en">Content Management</a></div> <div class="field--item"><a href="/tags/system-administration" property="schema:about" hreflang="en">System Administration</a></div> <div class="field--item"><a href="/tags/seo" property="schema:about" hreflang="en">SEO</a></div> <div class="field--item"><a href="/tags/security" property="schema:about" hreflang="en">Security</a></div> </div> </div> Fri, 01 Dec 2017 01:23:23 +0000 Bryan Ruby 2006 at https://bryanruby.com As Facebook Removes Fake Accounts, Spam Industry Charges More https://bryanruby.com/facebook-removes-fake-accounts-spam-industry-charges-more-1996 <span property="schema:name">As Facebook Removes Fake Accounts, Spam Industry Charges More</span> <div class="field field--name-field-image field--type-image field--label-above"> <div class="field--label">Image</div> <div class="field--items"> <div class="field--item"> <img property="schema:image" src="/sites/default/files/field/image/fake-1903774_1280.jpg" width="1280" height="874" alt="Fake News - Pixabay CC0 Public Domain" typeof="foaf:Image" class="img-responsive" /> </div> </div> </div> <span rel="schema:author"><span lang="" about="/users/bryan-ruby" typeof="schema:Person" property="schema:name" datatype="">Bryan Ruby</span></span> <span property="schema:dateCreated" content="2017-04-30T13:34:12+00:00">Sun, 04/30/2017 - 08:34</span> <div property="schema:text" class="field field--name-body field--type-text-with-summary field--label-hidden field--item"><p><em>NBC News</em> recently posted an <a href="http://www.nbcnews.com/tech/security/crackdowns-social-media-accounts-backfire-driving-demand-n746841">interesting article</a> where the author notes that the spam industry follows the same Law of Supply and Demand as any capitalist-loving business does. As social networks crack down on fake accounts and fake news, the spam industry is able to charge their customers more to establish such inauthentic accounts.</p> <blockquote> <p>Facebook shut down as many as 30,000 fake accounts in the past week — but that's unlikely to hurt the multi-million-dollar spam industry.</p> <p>In fact, since Facebook's post-election housecleaning, it's become even more lucrative for spammers to pump out "inauthentic accounts." The asking price on the black market for 1,000 fake accounts used to be $20, but security changes by the social network giant only succeeded in driving up prices.</p> <p>"If you go to the underground markets where they sell fake Facebook accounts, you can buy 1,000 of these for $300 to $400," Damon McCoy, a New York University computer science professor specializing in cybercrime, told NBC News.</p> </blockquote> <p>Fighting inauthentic accounts and inauthentic activity is not new to social networks. In recent years, Facebook has put a lot of effort into reducing such activities by closing accounts responsible for fake likes and fake news. Last week, Shabnam Shaik, Facebook's Security Technical Program Manager, <a href="https://www.facebook.com/notes/facebook-security/improvements-in-protecting-the-integrity-of-activity-on-facebook/10154323366590766">acknowledged </a> the recent efforts of his security team to fight the spread of misinformation on their social network.</p> <blockquote> <p>With these changes, we expect we will also reduce the spread of material generated through inauthentic activity, including spam, misinformation, or other deceptive content that is often shared by creators of fake accounts. In France, for example, these improvements have enabled us to take action against over 30,000 fake accounts. While these most recent improvements will not result in the removal of every fake account, we are dedicated to continually improving our effectiveness. Our priority, of course is to remove the accounts with the largest footprint, with a high amount of activity and a broad reach.</p> <p>This effort complements other initiatives we have previously announced that are designed to reduce the distribution of misinformation, spam or false news on Facebook. We've found that a lot of false news is financially motivated, and as part of our work to promote an informed society, we have focused on making it very difficult for dishonest people to exploit our platform or profit financially from false news sites using Facebook.</p> </blockquote> <p>As the popularity of social media has gained, for most of this decade the trend for email spam had been steadily decreasing. So getting back to the NBC News story, the article also makes one more observation that isn't going to please anyone but those profiting from spam. Recent research conducted by Cisco has shown that for the first time since 2010, email spam is no longer trending down but up. This time around email spammers are frequently targeting businesses instead of individuals. The email spam is no longer in the form of unwanted advertisement but instead are using phishing techniques. It's a subtle reminder that long before fake news on Facebook, we had fake email in our inbox.</p> <p><em>Article originally posted at <a href="https://www.socpub.com/articles/facebook-fights-fake-accounts-black-market-prices-go-15376">socPub</a>.</em></p></div> <div class="sharethis-wrapper"><span st_url="https://bryanruby.com/facebook-removes-fake-accounts-spam-industry-charges-more-1996" st_title="As Facebook Removes Fake Accounts, Spam Industry Charges More" class="st_facebook_large" displayText="facebook"></span> <span st_url="https://bryanruby.com/facebook-removes-fake-accounts-spam-industry-charges-more-1996" st_title="As Facebook Removes Fake Accounts, Spam Industry Charges More" class="st_twitter_large" st_via="MrBryanRuby" st_username="" displayText="twitter"></span> <span st_url="https://bryanruby.com/facebook-removes-fake-accounts-spam-industry-charges-more-1996" st_title="As Facebook Removes Fake Accounts, Spam Industry Charges More" class="st_googleplus_large" displayText="googleplus"></span> <span st_url="https://bryanruby.com/facebook-removes-fake-accounts-spam-industry-charges-more-1996" st_title="As Facebook Removes Fake Accounts, Spam Industry Charges More" class="st_linkedin_large" displayText="linkedin"></span> <span st_url="https://bryanruby.com/facebook-removes-fake-accounts-spam-industry-charges-more-1996" st_title="As Facebook Removes Fake Accounts, Spam Industry Charges More" class="st_email_large" displayText="email"></span> </div><section rel="schema:comment"> <h2>Add new comment</h2> <drupal-render-placeholder callback="comment.lazy_builders:renderForm" arguments="0=node&amp;1=1996&amp;2=comment&amp;3=comment" token="EMYMEnjvx08iv97a9nEcfPG2IhrO3jd8UtM9JC4xJfw"></drupal-render-placeholder> </section> <div class="field field--name-field-disqus field--type-disqus-comment field--label-above"> <div class="field--label">Disqus</div> <div class="field--item"><drupal-render-placeholder callback="Drupal\disqus\Element\Disqus::displayDisqusComments" arguments="0=As%20Facebook%20Removes%20Fake%20Accounts%2C%20Spam%20Industry%20Charges%20More&amp;1=https%3A//bryanruby.com/facebook-removes-fake-accounts-spam-industry-charges-more-1996&amp;2=node/1996" token="J67QgnltwvY4sZmQzy42KfzalhFF_mHv0INIYg5c5jQ"></drupal-render-placeholder></div> </div> <div class="field field--name-field-tags field--type-entity-reference field--label-above"> <div class="field--label">Tags</div> <div class="field--items"> <div class="field--item"><a href="/tags/facebook" property="schema:about" hreflang="en">Facebook</a></div> <div class="field--item"><a href="/tags/security" property="schema:about" hreflang="en">Security</a></div> <div class="field--item"><a href="/tags/spam" property="schema:about" hreflang="en">Spam</a></div> <div class="field--item"><a href="/tags/social-media" property="schema:about" hreflang="en">Social Media</a></div> <div class="field--item"><a href="/tags/words" property="schema:about" hreflang="en">Words</a></div> </div> </div> Sun, 30 Apr 2017 13:34:12 +0000 Bryan Ruby 1996 at https://bryanruby.com Uncle Sam Wants You To Update Your WordPress Plugins https://bryanruby.com/uncle-sam-wants-you-update-your-wordpress-plugins-1977 <span property="schema:name">Uncle Sam Wants You To Update Your WordPress Plugins</span> <span rel="schema:author"><span lang="" about="/users/bryan-ruby" typeof="schema:Person" property="schema:name" datatype="">Bryan Ruby</span></span> <span property="schema:dateCreated" content="2015-04-15T17:00:00+00:00">Wed, 04/15/2015 - 12:00</span> <div property="schema:text" class="field field--name-body field--type-text-with-summary field--label-hidden field--item"><p><em>In times of war, you may be asked what you can do for your country. In modern times, your country may be asking you to do your part by updating your WordPress plugins.</em></p> <p>The United States' Federal Bureau of Investigation (FBI), through the Internet Crime Complaint Center (<a href="http://www.ic3.gov/default.aspx">IC3</a>), issued a public service <a href="http://www.ic3.gov/media/2015/150407-1.aspx">announcement</a> last week recommending website administrators to update their Wordpress sites. More specifically, the bureau wants you to update your third-party WordPress plugins.</p> <p>Why is the FBI worried about your content management system? Apparently, continuous website defacements are being perpetrated by individuals sympathetic to the Islamic State in the Levant (ISIL) a.k.a. Islamic State of Iraq and al-Shams (ISIS). According to the FBI, the defacements have affected website operations and the communication platforms of:</p> <ul><li>News organizations</li> <li>Commercial entities</li> <li>Religious institutions</li> <li>Federal/state/local governments</li> <li>Foreign governments,</li> <li>A variety of other domestic and international webites.</li> </ul><p>While one wouldn't expect WordPress to house national or company secrets, all this unwanted disruption translates to cost in terms of lost business revenue and expenditures on technical services to repair infected computer systems.</p> <p>But why is the FBI focused on WordPress and not another CMS? In part, it's because Wordpress is popular and used by many. The more sites vulnerable to known and specific exploits, the easier it is for hackers to find their target. All victims of the defacements identified by the FBI shared common WordPress plug-in vulnerabilities easily exploited by commonly available hacking tools.</p> <p style="margin-left: 40px;">Researchers continue to identify WordPress Content Management System (CMS) plug-in vulnerabilities, which could allow malicious actors to take control of an affected system. Some of these vulnerabilities were exploited in the recent Web site defacements noted above. Software patches are available for identified vulnerabilities.</p> <p>Successful exploitation of the vulnerabilities could result in an attacker gaining unauthorized access, bypassing security restrictions, injecting scripts, and stealing cookies from computer systems or network servers. An attacker could install malicious software; manipulate data; or create new accounts with full user privileges for future Web site exploitation.</p> <p>What should you do if you run a WordPress site? First, you should ensure that you are running the <a href="https://wordpress.org/download/">latest version</a> of WordPress. As of this writing, that's WordPress 4.1.1.  The FBI also recommends the following actions be taken:</p> <ul><li>Review and follow WordPress guidelines for improving security (see <a href="http://codex.wordpress.org/Hardening_WordPress">Hardening Wordpress</a>).</li> <li>Identify WordPress vulnerabilities using free available tools such as those provided by SecurityFocus, CVE, and US-CERT.</li> <li>Update WordPress by patching vulnerable plugins.</li> <li>Run all software as a non-privileged user, without administrative privileges, to diminish the effects of a successful attack.</li> <li>Confirm that the operating system and all applications are running the most updated versions.</li> </ul><p>The FBI believes the perpetrators of the website defacements are not members of the ISIL terrorist organization. Instead, these individuals are hackers using relatively unsophisticated methods to exploit technical vulnerabilities and are utilizing the ISIL name to gain more notoriety. In other words, the hackers involved are likely the same type of hackers we've seen plenty of times before but only this time around they're hiding behind and using the ISIL brand of fear.</p> <p>Let me end on one final note. While WordPress may be singled out in this article and by the FBI, websites using out of date software isn't just a WordPress problem, it is an Internet problem. Website owners wanting to cut corners to save costs or system administrators too lazy (or overworked) to patch their systems need to do a better job in keeping the software they use up to date. Whether you're using WordPress or any other open source or proprietary CMS, if you want to keep your website out of the headlines then you need to keep your software up to date.</p> </div> <div class="sharethis-wrapper"><span st_url="https://bryanruby.com/uncle-sam-wants-you-update-your-wordpress-plugins-1977" st_title="Uncle Sam Wants You To Update Your WordPress Plugins" class="st_facebook_large" displayText="facebook"></span> <span st_url="https://bryanruby.com/uncle-sam-wants-you-update-your-wordpress-plugins-1977" st_title="Uncle Sam Wants You To Update Your WordPress Plugins" class="st_twitter_large" st_via="MrBryanRuby" st_username="" displayText="twitter"></span> <span st_url="https://bryanruby.com/uncle-sam-wants-you-update-your-wordpress-plugins-1977" st_title="Uncle Sam Wants You To Update Your WordPress Plugins" class="st_googleplus_large" displayText="googleplus"></span> <span st_url="https://bryanruby.com/uncle-sam-wants-you-update-your-wordpress-plugins-1977" st_title="Uncle Sam Wants You To Update Your WordPress Plugins" class="st_linkedin_large" displayText="linkedin"></span> <span st_url="https://bryanruby.com/uncle-sam-wants-you-update-your-wordpress-plugins-1977" st_title="Uncle Sam Wants You To Update Your WordPress Plugins" class="st_email_large" displayText="email"></span> </div><section rel="schema:comment"> <h2>Add new comment</h2> <drupal-render-placeholder callback="comment.lazy_builders:renderForm" arguments="0=node&amp;1=1977&amp;2=comment&amp;3=comment" token="AhtzaoRocitVYckivYGFOIvlRtv4GCmE04Z2h2Yecek"></drupal-render-placeholder> </section> <div class="field field--name-field-tags field--type-entity-reference field--label-above"> <div class="field--label">Tags</div> <div class="field--items"> <div class="field--item"><a href="/tags/wordpress" property="schema:about" hreflang="en">WordPress</a></div> <div class="field--item"><a href="/tags/security" property="schema:about" hreflang="en">Security</a></div> <div class="field--item"><a href="/tags/words" property="schema:about" hreflang="en">Words</a></div> </div> </div> Wed, 15 Apr 2015 17:00:00 +0000 Bryan Ruby 1977 at https://bryanruby.com Drupal Security: Not Shocking but Responsible https://bryanruby.com/drupal-security-not-shocking-responsible-1963 <span property="schema:name">Drupal Security: Not Shocking but Responsible</span> <span rel="schema:author"><span lang="" about="/users/bryan-ruby" typeof="schema:Person" property="schema:name" datatype="">Bryan Ruby</span></span> <span property="schema:dateCreated" content="2014-11-01T16:24:44+00:00">Sat, 11/01/2014 - 11:24</span> <div property="schema:text" class="field field--name-body field--type-text-with-summary field--label-hidden field--item"><p>Over the years, I've made it an unwritten policy not to sensationalize bug fixes and security vulnerabilities in content management systems. While there may be great interest in such stories, I believe such stories have a tendency to cause more harm than good. When sensationalized, such articles tend to cause customers to address security concerns with emotion instead of logic which is never a good thing. So, when the security vulnerability known as "Drupageddon" broke and Drupal developer Bevan Rudge posted "<a href="http://drupal.geek.nz/blog/your-drupal-websites-backdoor">Your Drupal website has a backdoor</a>", I knew this story was going to eventually reach mainstream media. In the meantime, I've been struggling on how best to write this article and what story need to be told.</p> <p>For those that don't know, Drupageddon is the highly critical SQL injection vulnerability in Drupal 7 core and was fully disclosed by the Drupal Security Team in <a href="https://www.drupal.org/SA-CORE-2014-005">SA-CORE-2014-005</a>. Since the dawn of time when databases were introduced to websites, <a href="http://en.wikipedia.org/wiki/SQL_injection">SQL injection</a> vulnerabilities have been discovered and in the majority of cases when found are patched by their developers and system administrators. What makes Drupageddon particularly nasty is the vulnerability can be exploited by users not even logged into your site (in Drupal they're called anonymous users). Worse, if you didn't update your site quickly enough, your site may still be compromised even after applying the fix (in <a href="https://www.drupal.org/download">Drupal 7.32</a> or later versions).</p> <p>It took two weeks, but the media have finally begun to use this Drupal event to sell their headlines. A recent <a href="http://www.bbc.com/news/technology-29846539">BBC article</a> claims that "up to 12 million websites may have been compromised by attackers who took advantage of a bug in the widely used Drupal software". While there is the <em>potential</em> for every single Drupal site on this earth to be compromised, I tend to believe Bevan Rudge's assessment that the real world numbers are more likely in the "hundreds of thousands". But the author of the article also found someone to state that this vulnerability and the need to audit your system for additional vulnerabilities is "shocking".</p> <p>Having managed various software applications and websites for two decades, I find myself annoyed and angry that once again I'm patching and auditing my websites with extreme effort. We've all seen these type of security exploits in a wide range of software applications from a wide range of software developers. Ten years ago I discovered an ecommerce website that I managed hacked due to a SQL injection exploit. What upset me the most wasn't that the site was hacked but that the application's developers were aware of the problem for months but failed to publicly disclose the information to users. While the software industry has gotten better to disclose vulnerabilities and provide fixes for their software there is a lot of improvement than can still be made.</p> <p>Perhaps what is shocking for those that don't know Drupal's open source community isn't the security exploit itself, but observing Drupal's willingness to fully disclose and take responsible steps to fix what is broken. It has been my experience that too many software vendors attempt to "soften the blow" in their disclosures to please the marketing arm of their company no matter how serious the exploit. Drupal on the other hand often takes the opposite approach. As a CMS critic I don't think I could write stronger words of warning in an article than what Drupal's community already does.</p> <blockquote><p><em><a href="https://www.drupal.org/SA-CORE-2014-005">Drupal Security Team:</a>  </em>A vulnerability in this API allows an attacker to send specially crafted requests resulting in arbitrary SQL execution. Depending on the content of the requests this can lead to privilege escalation, arbitrary PHP execution, or other attacks. This vulnerability can be exploited by anonymous users. [October 15, 2014]</p> </blockquote> <blockquote><p><em><a href="http://drupal.geek.nz/blog/your-drupal-websites-backdoor">Bevan Rudge, Drupal.Geek.NZ</a>:</em> I estimate hundreds of thousands of Drupal websites now have backdoors; between ten and ninety percent of all Drupal websites. Automated Drupageddon exploits were in the wild within hours of the announcement. Updating or patching Drupal does not fix backdoors that attackers installed before updating or patching Drupal. Backdoors give attackers admin access and allow arbitrary PHP execution.</p> <p>If your Drupal 7 (and 8) website is not updated or patched it is most likely compromised. If your website was not updated within a day of the announcement, it is probably compromised. Even if your website was updated within a day, it may be compromised. [October 22, 2014]</p> </blockquote> <blockquote><p><em><a href="https://www.drupal.org/PSA-2014-003">Drupal Security Team</a>:</em> While recovery without restoring from backup may be possible, this is not advised because backdoors can be extremely difficult to find. The recommendation is to restore from backup or rebuild from scratch. [October 29, 1014]</p> </blockquote> <p>I'm not a software developer, but I understand the news cycle for covering content management systems very well. Although this is a two week story for the Drupal community, we can expect to see more articles from authors and experts claiming their shock and dismay that such vulnerabilities in the Drupal software can exist. My spin is simply this: the media is only aware of this story because Drupal takes ownership and responsibility to disclose and address security issues in its own software. I personally find news of the vulnerability a non-story. The real story out there are the companies and software developers pointing fingers at Drupal and are not so forthcoming with their own security vulnerabilities. Those are the stories that need to be told.</p> <p><em>This article was originally posted on <a href="http://cmsreport.com/articles/drupal-security-not-shocking-but-responsible-11234">CMS Report</a>.</em></p> </div> <div class="sharethis-wrapper"><span st_url="https://bryanruby.com/drupal-security-not-shocking-responsible-1963" st_title="Drupal Security: Not Shocking but Responsible" class="st_facebook_large" displayText="facebook"></span> <span st_url="https://bryanruby.com/drupal-security-not-shocking-responsible-1963" st_title="Drupal Security: Not Shocking but Responsible" class="st_twitter_large" st_via="MrBryanRuby" st_username="" displayText="twitter"></span> <span st_url="https://bryanruby.com/drupal-security-not-shocking-responsible-1963" st_title="Drupal Security: Not Shocking but Responsible" class="st_googleplus_large" displayText="googleplus"></span> <span st_url="https://bryanruby.com/drupal-security-not-shocking-responsible-1963" st_title="Drupal Security: Not Shocking but Responsible" class="st_linkedin_large" displayText="linkedin"></span> <span st_url="https://bryanruby.com/drupal-security-not-shocking-responsible-1963" st_title="Drupal Security: Not Shocking but Responsible" class="st_email_large" displayText="email"></span> </div><section rel="schema:comment"> <h2>Add new comment</h2> <drupal-render-placeholder callback="comment.lazy_builders:renderForm" arguments="0=node&amp;1=1963&amp;2=comment&amp;3=comment" token="Z0LP8cQn5Rr55uDS0cFWdefyPV8Ue4ZBRJeJWQlURBk"></drupal-render-placeholder> </section> <div class="field field--name-field-tags field--type-entity-reference field--label-above"> <div class="field--label">Tags</div> <div class="field--items"> <div class="field--item"><a href="/tags/drupal" property="schema:about" hreflang="en">Drupal</a></div> <div class="field--item"><a href="/tags/planet-drupal" property="schema:about" hreflang="en">Planet Drupal</a></div> <div class="field--item"><a href="/tags/security" property="schema:about" hreflang="en">Security</a></div> <div class="field--item"><a href="/tags/information-technology" property="schema:about" hreflang="en">Information Technology</a></div> <div class="field--item"><a href="/tags/words" property="schema:about" hreflang="en">Words</a></div> </div> </div> Sat, 01 Nov 2014 16:24:44 +0000 Bryan Ruby 1963 at https://bryanruby.com Denial of Service on an Apache server https://bryanruby.com/denial-service-apache-server-1701 <span property="schema:name">Denial of Service on an Apache server</span> <span rel="schema:author"><span lang="" about="/users/bryan-ruby" typeof="schema:Person" property="schema:name" datatype="">Bryan Ruby</span></span> <span property="schema:dateCreated" content="2010-07-06T07:20:00+00:00">Tue, 07/06/2010 - 02:20</span> <div property="schema:text" class="field field--name-body field--type-text-with-summary field--label-hidden field--item"><p>Last week was a very frustrating time for me. For whatever reason, an unusually number of <a href="http://en.wikipedia.org/wiki/Botnet">botnets</a> decided to zero in on my Drupal site and created what I call an unintentional  <a href="http://en.wikipedia.org/wiki/Denial-of-service_attack">Denial of Service</a> attack (DOS). The attack was actually from spambots looking looking for script vulnerabilities found mainly in older versions of e107 and WordPress. Since the target of these spambots were non-Drupal pages, my Drupal site responded by delivering an unusually large number of "page not found" and "access denied" error pages. Eventually, these requests from a multitude of IPs were too many for my server to handle and for all intents and purposes the botnet attack caused a distributed denial of service that prevented me and my users from accessing the site.</p> <p>These type of attacks on Drupal sites and numerous other content management systems are nothing new. However, my search at Drupal.org as well as Google didn't really find a solution that completely addressed my problem. Trying to prevent a DDoS attack isn't easy to begin with and at first the answers alluded me.</p> <p>I originally looked at Drupal for the solution to my problems. While I've used Mollom for months, Mollom is designed to fight off comment spam while the bots attacking my sight were looking for script vulnerabilities that didn't exist. So with Mollom being the wrong tool to fight off this kind of attack, I decided to take a look at the Drupal contributed model <a href="http://drupal.org/project/badbehavior">Bad Behavior</a>. Bad Behavior is a set of PHP scripts which prevents spambots from accessing your site by analyzing their actual HTTP requests and comparing them to profiles from known spambots then blocks such access and logs their attempts. I actually installed an <a href="http://drupal.org/node/422974#comment-2834608">"unofficial" version</a> of the Bad Behavior module which packages the Bad Behavior 2.1 scripts and utilizes services from <a href="http://www.projecthoneypot.org/">Project Honey Pot</a>.</p> <p>As I had already suspected, looking for Drupal to solve this botnet attack wasn't the answer. Pretty much all Bad Behavior did for me was to take the time Drupal was spending delivering "page not found" error pages and use it to deliver "access denied" error pages. My Drupal site is likely safer with the Bad Behavior module installed, but it was the wrong tool to help me reduce the botnets from overtaxing Drupal running on my server. Ideally, you would like to prevent the attacks ever reaching your server by taking a look at such things as the firewall, router, and switches. However, since I didn't have access to the hardware, I decided it was time to look at my Apache configuration.</p> <!--break--><p>I host my sites on a VPS and use cPanel to help manage the site. While cPanel's defaults will give you a stable server there is definitely room to improve the default configuration. Despite all the places I searched for answers, the Apache documentation itself was the most helpful in helping me find which <a href="http://httpd.apache.org/docs/trunk/misc/security_tips.html#dos">Apache HTTP Server configuration</a> settings I should look when addressing DoS attacks.</p> <p>I eventually looked at two directives to help resolve my DoS attacks, <a href="http://httpd.apache.org/docs/trunk/mod/mpm_common.html#maxclients">MaxClients</a> and <a href="http://httpd.apache.org/docs/trunk/mod/core.html#timeout">TimeOut</a>. For whatever reason, cPanel chooses a default value of 150 for <strong>MaxClients </strong>even though Apache's default is actually 256. Knowing that whenever the MaxClients were reached, my server wasn't accessible to the client, this was the first httpd directive I wanted to change. Raising this number seemed to delay the effects of the botnet overwhelming my server but it didn't quite solve the problem. Now instead of 150 bot requests being capable of stalling out my server, I could process 256 bot requests. All MaxClients did was invite more disrespectful people to a party that was already getting out of hand.</p> <p>So I moved on to what was ultimately the solution in my case, I lowered the value given in the <strong>Timeout</strong> directive. The value configured for the Timeout directive is the amount of time the server will wait for certain events before failing a request. Apache gives the following security tips for how this can be configured to help prevent DoS attacks:</p> <blockquote><p>The <code class="directive"><a href="http://httpd.apache.org/docs/trunk/mod/core.html#timeout">TimeOut</a></code> directive should be lowered on sites that are subject to DoS attacks. Setting this to as low as a few seconds may be appropriate. As <code class="directive"><a href="http://httpd.apache.org/docs/trunk/mod/core.html#timeout">TimeOut</a></code> is currently used for several different operations, setting it to a low value introduces problems with long running CGI scripts.</p> </blockquote> <p>For whatever reason, this directive by default is set for 300 seconds. While I can see a number of reasons why you might need five minutes to run a process before failing the request, that's a value I would be more comfortable to have on an intranet server (fully protected by firewall from the wild wild Web) than on an Internet server. So I lowered the TimeOut directive from 300 seconds to 10 seconds. After the value change, the average requests being processed at any given time dropped from 256 down to around 40.  Most Drupal sites are going to need more processing time than 10 seconds, so you'll find out as I did that this number needs to be higher than 10. So far, I have found a value of 45 for the TimeOut directives allows my site to keep server performance high while handling all those requests from the bots without killing legitimate Drupal related processes.</p> <p>So in the end, if you find that the spambots are overwhelming your Drupal site and you have the ability to override the httpd configuration file, <strong>try lowering the value of your Timeout directive down to 45</strong> or some other low number. Doing this first might just solve your your problem and prevent the need for you to write a long winded blog post about your experience.</p> <p><em>This article first appeared on <a href="http://cmsreport.com/articles/denial-of-service-on-an-apache-server-2778">CMS Report</a>.</em></p> </div> <div class="sharethis-wrapper"><span st_url="https://bryanruby.com/denial-service-apache-server-1701" st_title="Denial of Service on an Apache server" class="st_facebook_large" displayText="facebook"></span> <span st_url="https://bryanruby.com/denial-service-apache-server-1701" st_title="Denial of Service on an Apache server" class="st_twitter_large" st_via="MrBryanRuby" st_username="" displayText="twitter"></span> <span st_url="https://bryanruby.com/denial-service-apache-server-1701" st_title="Denial of Service on an Apache server" class="st_googleplus_large" displayText="googleplus"></span> <span st_url="https://bryanruby.com/denial-service-apache-server-1701" st_title="Denial of Service on an Apache server" class="st_linkedin_large" displayText="linkedin"></span> <span st_url="https://bryanruby.com/denial-service-apache-server-1701" st_title="Denial of Service on an Apache server" class="st_email_large" displayText="email"></span> </div><section rel="schema:comment"> <h2>Add new comment</h2> <drupal-render-placeholder callback="comment.lazy_builders:renderForm" arguments="0=node&amp;1=1701&amp;2=comment&amp;3=comment" token="-ZfZWSV2KUsyRgXlMUdBwzO0o37KPKgXx3qtltnP8ws"></drupal-render-placeholder> </section> <div class="field field--name-field-tags field--type-entity-reference field--label-above"> <div class="field--label">Tags</div> <div class="field--items"> <div class="field--item"><a href="/tags/words" property="schema:about" hreflang="en">Words</a></div> <div class="field--item"><a href="/tags/drupal" property="schema:about" hreflang="en">Drupal</a></div> <div class="field--item"><a href="/tags/planet-drupal" property="schema:about" hreflang="en">Planet Drupal</a></div> <div class="field--item"><a href="/tags/spam" property="schema:about" hreflang="en">Spam</a></div> <div class="field--item"><a href="/tags/security" property="schema:about" hreflang="en">Security</a></div> <div class="field--item"><a href="/tags/system-administration" property="schema:about" hreflang="en">System Administration</a></div> <div class="field--item"><a href="/tags/information-technology" property="schema:about" hreflang="en">Information Technology</a></div> </div> </div> Tue, 06 Jul 2010 07:20:00 +0000 Bryan Ruby 1701 at https://bryanruby.com Flirting Robots https://bryanruby.com/flirting-robots-1511 <span property="schema:name">Flirting Robots</span> <span rel="schema:author"><span lang="" about="/users/bryan-ruby" typeof="schema:Person" property="schema:name" datatype="">Bryan Ruby</span></span> <span property="schema:dateCreated" content="2007-12-10T05:42:00+00:00">Sun, 12/09/2007 - 23:42</span> <div property="schema:text" class="field field--name-body field--type-text-with-summary field--label-hidden field--item"><p> I felt fear, awe, and even some admiration when I <a href="http://www.news.com/8301-13860_3-9831133-56.html?part=rss&amp;subj=news&amp;tag=2547-1_3-0-5">read at CNET</a> about the latest social engineering attack dreamed up by those ingenious Russian hackers. </p> <blockquote><p> Those entering online dating forums risk having more than their hearts stolen. </p> <p> A program that can mimic online flirtation and then extract personal<br /> information from its unsuspecting conversation partners is making the<br /> rounds in Russian chat forums, according to <a href="http://www.pctools.com/">security software firm PC Tools</a>. </p> <p> The artificial intelligence of CyberLover's automated chats is good<br /> enough that victims have a tough time distinguishing the "bot" from a<br /> real potential suitor, PC Tools said. The software can work quickly<br /> too, establishing up to 10 relationships in 30 minutes, PC Tools said.<br /> It compiles a report on every person it meets complete with name,<br /> contact information, and photos. </p> </blockquote> <p> Then again, there is one particular flaw when it comes to pulling identifiable information in an online dating forum. The flaw? It's a <em>dating forum</em>. I fear that this bot may find out that I'm a CEO of a multi-billion dollar company who likes to fly to the coast on weekends so I can sail one of my many yachts. Oh, I'm also still in my 20s, a chick magnet, and a full head of hair remains on top. Hopefully, the bots will not find this truthful information about me. Hmm, the feelings of fear, awe, and admiration I once felt for these hackers aren't so strong afterall.</p> </div> <div class="sharethis-wrapper"><span st_url="https://bryanruby.com/flirting-robots-1511" st_title="Flirting Robots" class="st_facebook_large" displayText="facebook"></span> <span st_url="https://bryanruby.com/flirting-robots-1511" st_title="Flirting Robots" class="st_twitter_large" st_via="MrBryanRuby" st_username="" displayText="twitter"></span> <span st_url="https://bryanruby.com/flirting-robots-1511" st_title="Flirting Robots" class="st_googleplus_large" displayText="googleplus"></span> <span st_url="https://bryanruby.com/flirting-robots-1511" st_title="Flirting Robots" class="st_linkedin_large" displayText="linkedin"></span> <span st_url="https://bryanruby.com/flirting-robots-1511" st_title="Flirting Robots" class="st_email_large" displayText="email"></span> </div><section rel="schema:comment"> <h2>Add new comment</h2> <drupal-render-placeholder callback="comment.lazy_builders:renderForm" arguments="0=node&amp;1=1511&amp;2=comment&amp;3=comment" token="HYepKCJidSETQUF8P5ZyqKcRt4nc-t1W0n500_oR5Eo"></drupal-render-placeholder> </section> <div class="field field--name-field-tags field--type-entity-reference field--label-above"> <div class="field--label">Tags</div> <div class="field--items"> <div class="field--item"><a href="/tags/security" property="schema:about" hreflang="en">Security</a></div> <div class="field--item"><a href="/tags/information-technology" property="schema:about" hreflang="en">Information Technology</a></div> <div class="field--item"><a href="/tags/thoughts" property="schema:about" hreflang="en">Thoughts</a></div> </div> </div> Mon, 10 Dec 2007 05:42:00 +0000 Bryan Ruby 1511 at https://bryanruby.com The botnets are coming to a Windows PC near you https://bryanruby.com/botnets-are-coming-windows-pc-near-you-1394 <span property="schema:name">The botnets are coming to a Windows PC near you</span> <span rel="schema:author"><span lang="" about="/users/bryan-ruby" typeof="schema:Person" property="schema:name" datatype="">Bryan Ruby</span></span> <span property="schema:dateCreated" content="2006-11-30T16:03:00+00:00">Thu, 11/30/2006 - 10:03</span> <div property="schema:text" class="field field--name-body field--type-text-with-summary field--label-hidden field--item"><p>The November 20, 2006 article "Spam surge linked to hackers" from <em>eWeek</em>s is a must read. Unfortunately, I can't find the actual online version of the article in print.</p> <p>The article discusses the increasing complexity hackers are using botnets running on tens of thousands of hijacked Windows computers to spread spam. The article focuses on the research by <a href="http://www.secureworks.com/index.html">SecureWorks</a> regarding the malware trojan called <span class="MainContents"><a href="http://www.secureworks.com/analysis/spamthru/">Troj/SpamThru</a>. Some scary unique features have been identified with this trojan including:</span></p> <ul><li>Peer to Peer Communication (hackers can have control without a server) </li> <li>Anti-Virus Scanning (Uses anti-virus software to scan against rivals)</li> <li>Template-based spam</li> <li>Almost half of the PCs infected are PCs with Windows XP SP2 installed (outside of Vista, Microsoft's most <em>secure</em> Windows system to date).</li> </ul><p>Do I bring this up because I don't like Microsoft products? Not at all and in fact as I write this post I'm using a Windows XP system. My point is that if you plan on using Windows XP do all of us a favor and be sure you've installed on your PC the latest software updates and security patches available.</p> <p><em> Shame on you</em> if you are still using an older and even less secure Windows system such as 98, ME, 2000, XP, XP SP1. If you aren't running a firewall and/or anti-virus software with your Windows system because of "performance issues"...either get yourself some new hardware or consider loading an alternative operating system such as Linux.</p> <p> Above all, start practicing safe computing. I don't want to hear any excuses why you're not... </p> </div> <div class="sharethis-wrapper"><span st_url="https://bryanruby.com/botnets-are-coming-windows-pc-near-you-1394" st_title="The botnets are coming to a Windows PC near you" class="st_facebook_large" displayText="facebook"></span> <span st_url="https://bryanruby.com/botnets-are-coming-windows-pc-near-you-1394" st_title="The botnets are coming to a Windows PC near you" class="st_twitter_large" st_via="MrBryanRuby" st_username="" displayText="twitter"></span> <span st_url="https://bryanruby.com/botnets-are-coming-windows-pc-near-you-1394" st_title="The botnets are coming to a Windows PC near you" class="st_googleplus_large" displayText="googleplus"></span> <span st_url="https://bryanruby.com/botnets-are-coming-windows-pc-near-you-1394" st_title="The botnets are coming to a Windows PC near you" class="st_linkedin_large" displayText="linkedin"></span> <span st_url="https://bryanruby.com/botnets-are-coming-windows-pc-near-you-1394" st_title="The botnets are coming to a Windows PC near you" class="st_email_large" displayText="email"></span> </div><section rel="schema:comment"> <h2>Add new comment</h2> <drupal-render-placeholder callback="comment.lazy_builders:renderForm" arguments="0=node&amp;1=1394&amp;2=comment&amp;3=comment" token="4l0ZGYZ5tgJGcsQci-5AkOhdC6S8c43lCQmTdYZwKOw"></drupal-render-placeholder> </section> <div class="field field--name-field-tags field--type-entity-reference field--label-above"> <div class="field--label">Tags</div> <div class="field--items"> <div class="field--item"><a href="/tags/information-technology" property="schema:about" hreflang="en">Information Technology</a></div> <div class="field--item"><a href="/tags/security" property="schema:about" hreflang="en">Security</a></div> <div class="field--item"><a href="/tags/thoughts" property="schema:about" hreflang="en">Thoughts</a></div> </div> </div> Thu, 30 Nov 2006 16:03:00 +0000 Bryan Ruby 1394 at https://bryanruby.com